I tend to have just a browser window open, with many and many tabs (once they summed up to 27…) without any particular order, and the last phishing like technique is scaring me.

You know, the bad guys are always scratching their heads to find new way to hurt the good guys. Their new trick has been called “nabtabbing” and it is a sort of improved or revisited phishing technique.

From Azarask:

How The Attack Works

1. A user navigates to your normal looking site.
2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

We’ll call this new type of phishing attack “tabnabbing“.

Targeted Attacks

There are many ways to potentially improve the efficacy of this attack.

Using my CSS history miner you can detect which site a visitor uses and then attack that site (although this is no longer possible in Firefox betas). For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.

Even more deviously, there are various methods to know whether a user is currently logged into a service. These methods range from timing attacks on image loads, to seeing where errors occur when you load an HTML webpage in a script tag*. Once you know what services a user is currently logged in to, the attack becomes even more effective.

[*] Think looking for the exact error thrown when embedding <script src=”http://gmail.com”/> it will be differ depending on if the user is logged in or logged out.

You can make this attack even more effective by changing the copy: Instead of having just a login screen, you can mention that the session has timed out and the user needs to re-authenticate. This happens often on bank websites, which makes them even more susceptible to this kind of attack.



Attack Vector

Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack. If you are the evil doer, you can have this behavior only occur once in a while, and only if the user uses a targeted service. In other words, it could be hard to detect.

You can also use a cross-site scripting vulnerabilities to force the attack to be performed by other websites. And for browsers that do not support changing the favicon, you can use a location.assign call to navigate the page to a controlled domain with the correct favicon. As long as the user wasn’t looking at the tab when the refresh occurred (which they won’t be), they’ll have no idea what hit them. Combine this with look-alike Unicode domain names and even the most savvy user will have trouble detecting anything is amiss.

Thus, while you are going here and there in your browser tabs mess, one of the site change itself (including the tab icon…) pretending to be another site, and asking for your login and password. It’s not strange that a site will ask your login and password more than once, thus you will think this is a legit request and you will be ****ed.

To see this attack in action open a new tab and visit the link where they describe this new kind of phishing; then move to another tab. You will see the tab you left changing itself to mimic GMail.

I tried this on my PC and it worked with Firefox but not with Chrome, but it worked on the Opera browser installed on my Touc Pro2, as you can see in the images below (only the tab icon didn’t change).

Before the attack

Moving to another tab and going back shows the site changed (the icon didn’t, though)  

Scaring, especially when it says:

Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack.

So, time to be more careful with those tabs…

Link: Azarask

Via:  Ilium Software Twitter

Question of the Day:  How Many Applications Do You Regularly Use on Your Handheld?

This topic was posed backstage at JAMM the other day, with someone commenting that they didn’t use many third party solutions.  I would argue that the proper third party applications aren’t being used, because if they were, one would likely almost find using your phone without them at best less than joyful.  In truth, though, this started me thinking about the amount of apps that are installed on my Touch Pro, the amount I use daily and the amount I use frequently (multiple times a week).

Maybe I’m what consider an old dinosaur, a “power user”, with a quick count revealing 20 applications that I use at least once per day.  Granted, a few of these are running in the background, such as BattClock, WisBar Advance and Resco Backup, to name a few.  Applications that I use on a frequent but not daily basis probably up the total to between 35 and 40, games not included.

How many applications do you use on a daily basis?  On a weekly basis?

Skooba Design is offering an EXTRA 25% off of the sale price of their Skooba Satchel 2.0 and Satchel Luxe.  This discount is for the first 100 orders, and all you need to do is enter discount code = SUMMERDIP25. 

I own a few different Skooba bags, and I have never been disappointed.  The quality is top notch, and thet will exceed your expectations.  If you need a new laptop bag, don’t pass this up.  Take it from a true bag addict, me.

So, you want to get your JAMM fix without using a RSS reader or our mobile site from your Symbian phone? Well, thanks to some of the new app publishing tools from Nokia, you can now download the Just Another Mobile Monday app from the Ovi Store directly from your phone.

It even comes with a great JAMM icon that you can add to your home screen. Head on over to the Ovi Store to download the Just Another Mobile Monday app today!

SPB Mobile Shell has been one of the great Windows Mobile programs over the past several years. Along with HTC’s TouchFLO/Sense UI, it would really give Windows Mobile a great, user-friendly user interface. The main complaint I hear about Symbian/S60 lately is that the UI is out-dated and stale. I have to agree, so it is great to see SPB bring their Mobile Shell program to help users breathe new life into their Symbian 5th Edition devices.

From SPB Software:

May 25th, 2010 – SPB Software, a leading mobile software developer, has launched SPB Mobile Shell 3.5 for Symbian. A best-selling customisation and personalisation tool for touchscreen user interfaces, SPB Mobile Shell for Symbian lets Symbian users make the most of their mobile phones.

With recent Gartner statistics showing that smartphones with a Symbian OS are the fastest-selling mobiles in the world, SPB Software is catering to the huge demand for customisation and personalisation on Symbian OS-based devices.

“Up until now there hasn’t been a good user interface for Symbian yet despite the number of users out there,” said Sebastian-Justus Schmidt, CEO of SPB Software. “Our aim is to bring our experience with Windows Mobile users to Symbian (and other OS) enthusiasts. Last year we launched six projects for the Symbian platform and partnered with Nokia, StarHub and MTS, customising and helping implement the products for Symbian OS. The simple implementation process means manufacturers and mobile operators can easily customise the products on a variety of platforms to offer the same capabilities to all users.”

SPB Mobile Shell was initially launched in 2007 and has seen global success with many award wins and several million licences being shipped by more than 15 device manufacturers. SPB Software has also joined open industry standard, Symbian Foundation, to ensure its applications for Symbian OS are at the forefront of what its users want.

SPB Mobile Shell 3.5 for Symbian Main Features:

Multiple customizable homescreens
Widgets for tasks, agenda, weather and a lot of others
Widget-based photo contacts
Launcher with fast access to all the features
Adaptive skins, support for OpenGL and 3D carousel

Pricing and Availability

SPB Mobile Shell 3.5 for is available for Symbian-based touchscreen devices (works on Symbian S60 5th Edition and higher) from 25 May 2010. It can be purchased for $29.95 or a 15-day free trial version may be downloaded at www.spb.com.

So, if you have a Symbian S60 5th Edition phone, head on over to SPB Software’s site and check out the trial or buy your copy of Mobile Shell.